User and Group Accounts
XP allows you to create local user and group accounts for which
you can assign permissions to resources and to which you can assign
rights to perform certain tasks. When you create a local user or
group account on Windows XP, it is stored in the local security
database and can be used only on the local computer. If the
computer is a member of a domain, you need a domain user account
instead of a local user account to be able to access resources in
the domain. If the computer is a member of a workgroup and you want
to be able to log on to other computers using a single user name,
you need to create an identical user account on each of the computers
you want to access.
XP provides two built-in users, Administrator and Guest.
The Administrator account is a member of the local Administrators
group and has full permissions to all local resources by default.
This is the account you use to configure your computer, i.e. create
other user accounts and assign permissions and rights. You cannot
delete or disabled the Administrator account. The Guest account
is disabled by default. The Administrator can enable it to allow
guests, people who do not have a user account, to logon to the computer.
You should rename the built-in accounts to make it more difficult
for a malicious individual to gain access by guessing account names
main purpose of a local group account is to simplify administration
by allowing permissions and rights to be assigned to a collection
of users instead of an individual user. When you assign or change
permissions or rights to a group, all the members in that group
will inherit those permissions or rights. Local groups cannot have
other local groups as members, only user accounts. Windows XP includes
the following groups by default:
Administrators – Have full permissions by default
and can change their own permissions and rights as well as those
of other users and groups. Can also take ownership of files.
• Backup Operators – Can back up or restore
files without being limited by file permissions. Backup Operators
can also log on locally and shutdown the system.
• Guests – Have the same permissions and right
as the Users group by default. The Guest user account is the only
member and is disabled by default.
• Network Configuration Operators – Have limited
administrative access to configure network settings.
• Power Users – Have limited administrative
access. They can create new user accounts, not modify or delete
existing accounts, and they can remove users from the Power
Users, Users, and Guests groups but cannot
modify the Administrators or Backup Operators
• Remote Desktop Users – Have the right to
logon remotely, to be able to use the Remote Desktop feature
to connect and logon to this computer.
• Replicator – Group account used for file
replication in a domain. Do not add regular user accounts to this
• Users – Have sufficient permissions and rights
to run certified Windows applications, but cannot run most legacy
applications. This prevents regular users from making system-wide
changes. Members of the Users group can create new groups, not modify
or delete other groups.
• HelpServicesGroup – Group for the Help
and Support Center.
are some of the special identities in Windows XP that are
similar to groups, but to which users are automatically added depending
on how they access the computer. You cannot add users to these groups
manually, but you can assign permissions to them.
Anonymous Logon – Users that connected without logging
on to the computer.
• Authenticated Users – Users that connected
and are authenticated by the local computer. Does not include the
• Everyone – Includes Authenticated Users
• Interactive – User that logged on locally
or through a Remote Desktop connection.
• Network – Users that connected over the network
and are logged on to the local computer.
can manage users and groups on you local computer by using the Local
Users and Groups snap-in of Computer Management, shown
below. To create a new account, right-click the Users or
Groups container and select New User or New
Group. To rename, delete, or set a password for the user account,
right-click it in Local User and Groups and select the
change the settings of a user or group account, double-click it
to open its properties. On the General tab of a user account’s
properties, shown below, you can enter a full name and a description
for the user account.
the General tab provides the following account settings:
User must change password at next logon – When this
setting is enabled, the user will be required to change the password
the next time he or she logs on.
• User cannot change password – When this setting
is enabled, the user cannot change the password.
• Password never expires – When this setting
is enabled, the password will not expire even if it is older than
specified in the Maximum password age policy.
• Account is disabled – When this setting is
enabled, the user account will be disabled and cannot be used to
• Account is locked out – This setting will
be enabled automatically when a user enters an incorrect password
for the number of times specified in the Account lockout threshold
policy. The account will be locked out for the duration specified
in the Account lockout duration policy, or until an Administrator
disables this setting manually. Both these Account Lockout Policy
settings will be discussed in the next section.
Member Of tab of a user account’s Properties
sheet lists the local groups of which the user is a member. If you
want to add a user to a group, you can click the Add button
on the Member Of tab of a user account, or the Members
tab of the group account’s Properties.
Profile tab allows you to provide a path to the profile
(discussed in the Desktop
Environment TechNotes) and a login script. You can also
provide a path for a user’s home folder, and optionally map
it to a drive letter. These options are typically only used when
the computer is a member of a domain.
limited way to manage local users is by using User Accounts
from the control panel. One option of User Accounts that
is worth mentioning is the Manage my network passwords,
available under Related Tasks, which provides access to
the Stored User Names and Passwords dialog. The latter
will be discussed in more detail in the Local Security Configuration
policies are group policy settings that can be used to enforce a
password and account lockout policy for the local computer. You
can access the account policy settings in the Account Policies
section of the Local Security Policy, which is available
in the Administrative Tools section and in the Windows
Settings section under Computer Configuration in the
Group Policy editor (gpedit.msc). You must be a member
of the Administrators group to be able to configure account policy
settings. Windows includes the following account policy settings:
• Enforce password history – Specifies how
many different passwords have to be used before an old password
can be reused. The default value is 1. If you set the value to 0
Windows XP won’t maintain a password history.
• Maximum password age – Specifies the maximum
number of days the same password can be used before requiring the
user to change it. The default value is 42. The password will not
expire if you set the value to 0.
• Minimum password age – Specifies how many
days a password must be used before the user can change it. The
default value is 0.
• Minimum password length – Specifies the minimum
password length. MS recommends a minimum of 8. A password won’t
be required if you set the value to 0.
• Passwords must meet complexity requirements –
Enable this policy to enforce the following minimum requirements
o Cannot contain the user's account name or
part of it
o Must be 6 characters in length or longer
o Must contain characters from three of the
following four categories:
- Uppercase characters
(A through Z)
- Lowercase characters
(a through z)
- 0 through 9
- Nonalphanumeric characters
(e.g., !, $, #, %)
• Store password using reversible encryption for all users
in the domain – Enabling this policy allows applications
using authentication protocols that require plaintext passwords,
such as CHAP, access to the password. Never enable this option.
• Account lockout duration – Specifies the
number of minutes a locked-out account remains locked out before
automatically being unlocked. If you set the value to 0, the account
will remain locked out until an administrator manually unlocks it
(by disabling the Account is locked out user account setting
in Local Users and Groups).
• Account lockout threshold – Specifies the
number of failed logon attempts that result in a user account becoming
locked out. Accounts will never be locked out by if you set this
value to 0. This setting does not apply to failed password attempts
on a computer locked using Ctrl+Alt+Delete or a screen saver.
• Reset account lockout counter after – Determines
the number of minutes that must elapse after a failed logon attempt
before the failed logon attempt counter is reset to 0 bad logon
XP allows you to assign rights to users and groups, which authorize
users to perform specific tasks on the local computer. Rights
are not the same as permissions; the latter is used to
authorize access for groups and users to objects such as files and
printers. You can assign these rights to user or group accounts
in the User Rights Assignments section of the Local
Security Policy, which is available in the Administrative
Tools section. You can also find them under Local Policies
in the Windows Settings section under Computer Configuration
in the Group Policy editor (gpedit.msc).There are two different
types of user rights: logon rights and privileges.
The following list shows some of the common user rights for both
• Log on locally – Allows a user to log on
to the local computer
• Log on as a service – Allows you to create a system
account for services
• Access this computer from a network – Allows a user
access to this computer through a network connection.
• Allow logon through terminal services – Allows a user
to log on to this computer through a Remote Desktop connection.
• Deny local logon – Allows you to explicitly deny local
logon to users who are assigned the right to Log on locally through
• Deny logon through terminal services – Allows you
to explicitly deny Remote Desktop access to users who are
assigned the right to Allow logon through terminal service
through group membership.
• Load and unload device drivers – Specifies
which users can load and unload device drivers for Plug and Play
• Change the system time – Specifies which
users can change the system time.
• Manage auditing and security log – Specifies
which users are allowed to specify object access auditing options
for individual resources. A user who has this privilege also can
view and clear the security log from Event Viewer.
• Remove computer from docking station – Specifies
which users are allowed to remove their portable computer from a
docking station by selecting Eject PC from the Start
• Restore files and directories – Specifies
which users are allowed to bypass permission to be able to restore
• Shut down the system – Specifies which users
are allowed to shut down the computer.
the following the link for a more complete and detailed overview
of the available user rights in Windows XP: User